View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.assertionStates;
20  
21  import javax.xml.namespace.QName;
22  
23  import org.apache.wss4j.common.WSSPolicyException;
24  import org.apache.wss4j.policy.SP13Constants;
25  import org.apache.wss4j.policy.SPConstants;
26  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
27  import org.apache.wss4j.policy.model.AbstractToken;
28  import org.apache.wss4j.policy.model.UsernameToken;
29  import org.apache.wss4j.policy.stax.PolicyAsserter;
30  import org.apache.wss4j.stax.ext.WSSConstants;
31  import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
32  import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
33  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
34  import org.apache.xml.security.exceptions.XMLSecurityException;
35  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
36  import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
37  import org.apache.xml.security.stax.securityToken.SecurityToken;
38  
39  /**
40   * WSP1.3, 5.4.1 UsernameToken Assertion
41   */
42  
43  public class UsernameTokenAssertionState extends TokenAssertionState {
44  
45      public UsernameTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
46                                         PolicyAsserter policyAsserter, boolean initiator) {
47          super(assertion, asserted, policyAsserter, initiator);
48  
49          if (asserted) {
50              UsernameToken usernameToken = (UsernameToken) getAssertion();
51              String namespace = usernameToken.getName().getNamespaceURI();
52              if (usernameToken.getPasswordType() != null) {
53                  getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getPasswordType().name()));
54              }
55              if (usernameToken.isCreated()) {
56                  getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
57              }
58  
59              if (usernameToken.isNonce()) {
60                  getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
61              }
62  
63              if (usernameToken.getUsernameTokenType() != null) {
64                  getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getUsernameTokenType().name()));
65              }
66          }
67      }
68  
69      @Override
70      public SecurityEventConstants.Event[] getSecurityEventType() {
71          return new SecurityEventConstants.Event[]{
72                  WSSecurityEventConstants.USERNAME_TOKEN
73          };
74      }
75  
76      @Override
77      public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
78                                 AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
79          if (!(tokenSecurityEvent instanceof UsernameTokenSecurityEvent)) {
80              throw new WSSPolicyException("Expected a UsernameSecurityTokenEvent but got " + tokenSecurityEvent.getClass().getName());
81          }
82          UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) tokenSecurityEvent.getSecurityToken();
83          UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) tokenSecurityEvent;
84          UsernameToken usernameToken = (UsernameToken) abstractToken;
85  
86          String namespace = getAssertion().getName().getNamespaceURI();
87          if (usernameToken.getPasswordType() != null) {
88              switch (usernameToken.getPasswordType()) {  //NOPMD
89                  case NoPassword:
90                      if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
91                          != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
92                          setErrorMessage("UsernameToken contains a password but the policy prohibits it");
93                          getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.NO_PASSWORD),
94                                                             getErrorMessage());
95                          return false;
96                      }
97                      getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.NO_PASSWORD));
98                      break;
99                  case HashPassword:
100                     if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
101                         != WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
102                         setErrorMessage("UsernameToken does not contain a hashed password");
103                         getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD),
104                                                            getErrorMessage());
105                         return false;
106                     }
107                     getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD));
108                     break;
109             }
110         } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
111             // We must have a password for the default case
112             setErrorMessage("UsernameToken must contain a password");
113             getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
114             return false;
115         } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
116             // We must have a plaintext password for the default case
117             setErrorMessage("UsernameToken password must not be hashed");
118             getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
119             return false;
120         }
121         if (usernameToken.isCreated()) {
122             if (usernameSecurityToken.getCreatedTime() == null
123                 || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
124                 setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
125                 getPolicyAsserter().unassertPolicy(SP13Constants.CREATED, getErrorMessage());
126                 return false;
127             } else {
128                 getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
129             }
130         }
131 
132         if (usernameToken.isNonce()) {
133             if (usernameSecurityToken.getNonce() == null
134                 || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
135                 setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
136                 getPolicyAsserter().unassertPolicy(SP13Constants.NONCE, getErrorMessage());
137                 return false;
138             } else {
139                 getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
140             }
141         }
142 
143         if (usernameToken.getUsernameTokenType() != null) {
144             switch (usernameToken.getUsernameTokenType()) { //NOPMD
145                 case WssUsernameToken10:
146                     if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
147                         && usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
148                         setErrorMessage("Policy enforces UsernameToken profile 1.0 but we got 1.1");
149                         getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10),
150                                                            getErrorMessage());
151                         return false;
152                     }
153                     getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10));
154                     break;
155                 case WssUsernameToken11:
156                     if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
157                         && !usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
158                         setErrorMessage("Policy enforces UsernameToken profile 1.1 but we got 1.0");
159                         getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11),
160                                                            getErrorMessage());
161                         return false;
162                     }
163                     getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11));
164                     break;
165             }
166         }
167         //always return true to prevent false alarm in case additional tokens with the same usage
168         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
169         getPolicyAsserter().assertPolicy(getAssertion());
170         return true;
171     }
172 }